{"id":"CVE-2019-2389","details":"Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14; MongoDB Server v3.4 versions prior to 3.4.22.","modified":"2026-04-11T09:40:07.370513Z","published":"2019-08-30T15:15:10.987Z","references":[{"type":"FIX","url":"https://jira.mongodb.org/browse/SERVER-40563"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"f4240c60f005be757399042dc12f6addbc3170c1"},{"fixed":"aa313e18da568c4afd120f99e56d2da7d7fcdd58"},{"introduced":"a57d8e71e6998a2d0afde7edc11bd23e5661c915"},{"fixed":"cbef87692475857c7ee6e764c8f5104b39c342a1"},{"introduced":"3b07af3d4f471ae89e8186d33bbb1d5259597d51"},{"fixed":"417d1a712e9f040d54beca8e4943edce218e9a8c"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.22"},{"introduced":"3.6.0"},{"fixed":"3.6.14"},{"introduced":"4.0.0"},{"fixed":"4.0.11"}]}}],"versions":["r3.4.0","r3.4.1","r3.4.1-rc0","r3.4.10","r3.4.10-rc0","r3.4.11","r3.4.11-rc0","r3.4.12","r3.4.12-rc0","r3.4.13","r3.4.14","r3.4.14-rc0","r3.4.15","r3.4.15-rc0","r3.4.16","r3.4.16-rc0","r3.4.17","r3.4.17-rc0","r3.4.18","r3.4.18-rc0","r3.4.19","r3.4.19-rc0","r3.4.2","r3.4.2-rc0","r3.4.20","r3.4.20-rc0","r3.4.21","r3.4.21-rc0","r3.4.3","r3.4.3-rc0","r3.4.3-rc1","r3.4.3-rc2","r3.4.4","r3.4.4-rc0","r3.4.5","r3.4.5-rc0","r3.4.5-rc1","r3.4.5-rc2","r3.4.5-rc3","r3.4.5-rc4","r3.4.6","r3.4.6-rc0","r3.4.7","r3.4.7-rc0","r3.4.8","r3.4.8-rc0","r3.4.8-rc1","r3.4.9","r3.4.9-rc0","r3.6.0","r3.6.1","r3.6.1-rc0","r3.6.1-rc1","r3.6.10","r3.6.10-rc0","r3.6.10-rc1","r3.6.11","r3.6.11-rc0","r3.6.11-rc1","r3.6.11-rc2","r3.6.12","r3.6.12-rc0","r3.6.12-rc1","r3.6.13","r3.6.13-rc0","r3.6.13-rc1","r3.6.2","r3.6.2-rc0","r3.6.3","r3.6.3-rc0","r3.6.3-rc1","r3.6.4","r3.6.4-rc0","r3.6.5","r3.6.5-rc0","r3.6.6","r3.6.6-rc0","r3.6.7","r3.6.7-rc0","r3.6.7-rc1","r3.6.8","r3.6.8-rc0","r3.6.8-rc1","r3.6.9","r3.6.9-rc0","r4.0.0","r4.0.1","r4.0.1-rc0","r4.0.1-rc1","r4.0.10","r4.0.10-rc0","r4.0.10-rc1","r4.0.2","r4.0.2-rc0","r4.0.3","r4.0.3-rc0","r4.0.4","r4.0.4-rc0","r4.0.4-rc1","r4.0.4-rc2","r4.0.5","r4.0.5-rc0","r4.0.5-rc1","r4.0.6","r4.0.6-rc0","r4.0.6-rc1","r4.0.7","r4.0.7-rc0","r4.0.7-rc1","r4.0.8","r4.0.8-rc0","r4.0.9","r4.0.9-rc0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:40:07Z","vanir_signatures":[{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_prefixed_record_store_test.cpp","function":"PrefixedWiredTigerHarnessHelper"},"digest":{"function_hash":"61937275010239874520346460970434129605","length":185},"signature_version":"v1","id":"CVE-2019-2389-1004a8a5","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp"},"digest":{"line_hashes":["26924533998250295673333829225315630128","294899704879593401439585358118034280990","26357773772601915398355273809563082302","36369067754841074126793706567586669838","225550587569448489494364761297828183055","184916337596216413079806980835012912337","16005808298556303105539870910980885256","326038935544088786231599736129175357720"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-165fe0ca","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp","function":"WiredTigerMaxCacheOverflowSizeGBParameter::set"},"digest":{"function_hash":"325171484802284865273453348753238264298","length":344},"signature_version":"v1","id":"CVE-2019-2389-179f8cf0","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp","function":"WiredTigerMaxCacheOverflowSizeGBParameter::setFromString"},"digest":{"function_hash":"309332410048955961199855927604179246637","length":227},"signature_version":"v1","id":"CVE-2019-2389-36cf247e","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.h"},"digest":{"line_hashes":["119176211318513759457844762229488862186","167630980375341147577685041171477178061","266221775816474542517747749908203203554","252740435069336828427599965994332911777","34170612815814906186014929515622184303","154909303271626918978999181290938289801","102675205115642847258618782620220392118","325729426310994268381941079181615944420","100465731876937299083359946438274196783","300473430996537526249928299169702568700"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-3701e914","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp","function":"WiredTigerGlobalOptions::add"},"digest":{"function_hash":"310243720815985714085396491279593335487","length":2737},"signature_version":"v1","id":"CVE-2019-2389-381ecc81","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp"},"digest":{"line_hashes":["30969995706530208292417370433137582735","105624916076702668899293221139826753110","56377987737233038861690160489650955041","73725080892737409834804641603694074220","150348727581228710305049518861175884150","39392279374615221727101818932570257051","201296950247145913443590097656513358759","82782133590990389918334036292114069028","157729681886114202603114720506163836684","160551174030878405624478857064229772352","331158377951408687509433662341905408405","51128529274861169141063678668910027975","121428755211155561856683898612553980150","226295630971602917343392581547637419580","129993985236784239072741057800362497048","304788163467689446172424281842012883496","246122163920337456879294485748529833599","285879399499901161531209722608203762736","222354329717803450231735411731079875691","247835820645485198377467740988288328882","252566574113722857285232769128018684754","240776436868747816146082863967914811841","226341577968340403871572689970775288834","10681113961972605544187250185057543165","257432588444015083152414373172770725006","326345361037183589399368457819263151508","66433296482673760471420999115173452239","211403969985756980011869524380187725542","274920676961907635885142645811966643878","251279263110983465188537294025094558157","319133431755246212904104648430357583259","161707480851793673885886921342234773239","99301979971449527530495239030045619190","335528643977694596701889744457068632387","230487826986028092490761374767423268535","314891936430974586483051678623577449306","297297958185920560167079216389589866762","114965207342299961214228737732958698401","55207135636688483190530320739297226244","21528257321318194216502391937275486727","115665172727257208757293414161595975045","13382026041774216538777351346393308196","287288054846634883781542376193159825704","265442971244778847045764979711049865644","232373189888151771506092928520156279815","133757880430566243919717566544950500686","202353487195555505160461277194390641235","132554045127168992527609549912891510684","61686435888145368272611071041676773952","24633966662715656627286301798489406347","160394265571953931634857685371973915636","209282261313109613235284970878587356604","247100560728459991276497940144023503380","248244637521409413944083034815527995570","57807352491155151291238543027247327372"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-3c2aba45","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp","function":"WiredTigerMaxCacheOverflowSizeGBParameter::WiredTigerMaxCacheOverflowSizeGBParameter"},"digest":{"function_hash":"32490590650425592794225243327840925787","length":258},"signature_version":"v1","id":"CVE-2019-2389-43431342","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.h"},"digest":{"line_hashes":["335512549459391923139916337036348929547","26924533998250295673333829225315630128","294899704879593401439585358118034280990","26357773772601915398355273809563082302","36369067754841074126793706567586669838"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-69670a67","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine_test.cpp"},"digest":{"line_hashes":["138959281141294517281112006986386172524","58597587078759479769995464041558602345","154358495532815636517084075138668999113","102943481187578979618909960532568834843","165785192819830749444746111706803194483","18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883","80291531406500729640250683561383541915","6105029301158106519064548271867776658","223760593813976214606526022960553803428","321469164760366099906806400015892163753","175910447252115462066765619638094160235","135201260266502720881778557412003622294","9268272434792024952683112093726320735","102943481187578979618909960532568834843","165785192819830749444746111706803194483","18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883","80291531406500729640250683561383541915","3840225334900641061231296018747073664","156901327248016343810471341227556685451","97841995662293048910335699460096735473"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-6fe25f99","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_prefixed_record_store_test.cpp"},"digest":{"line_hashes":["18973782206086067397971193736271721203","3617982624798390393119596822693088149","270090421094939727893079222112675877089","28568461906609888853187260752884227883"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-7452db60","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.h"},"digest":{"line_hashes":["38079101604146539534475791259808892208","156414038250564622134750294707557772105","209586999999009640223531670584778675334","268342650047195845365776823454810479703","258852578411061926793537845349034731394","277736225196093030394296124676928018591","139444987617341794487780126264823500682","97217929470521567532498788635832656472","121760658055090446392678317161090746511","183867666675416423631459167770340332507","114574059631507776817150089223951885534","62416750766851205629200977621708402734"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-7952c05c","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp","function":"WiredTigerMaxCacheOverflowSizeGBParameter::append"},"digest":{"function_hash":"249220919466888254283357919104976399644","length":151},"signature_version":"v1","id":"CVE-2019-2389-8264ec95","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp","function":"WiredTigerGlobalOptions::validateMaxCacheOverflowFileSizeGB"},"digest":{"function_hash":"92208364558702838890526700109616659378","length":268},"signature_version":"v1","id":"CVE-2019-2389-928609e9","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp","function":"_readOnly"},"digest":{"function_hash":"242134494251850389799080679595484001934","length":3508},"signature_version":"v1","id":"CVE-2019-2389-96fa9cdc","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp"},"digest":{"line_hashes":["30888742784525923677032317438933729509","25405049016967465495261459088961942664","108430275857439391778589646845731983939","307672897278097863661314783820597410391","219733424293973400719052234968305455515","34977716437213413511171953821010319491","165074186159423819645958630099807510565","270090421094939727893079222112675877089","28568461906609888853187260752884227883"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-9e071f18","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/pipeline/document_source_check_resume_token.cpp","function":"DocumentSourceShardCheckResumability::_assertOplogHasEnoughHistory"},"digest":{"function_hash":"35307776376996613208368469558635971073","length":895},"signature_version":"v1","id":"CVE-2019-2389-b187b8f3","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/417d1a712e9f040d54beca8e4943edce218e9a8c"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp","function":"WiredTigerHarnessHelper"},"digest":{"function_hash":"274544291887184650944379800949513136762","length":180},"signature_version":"v1","id":"CVE-2019-2389-b778bd51","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_global_options.cpp"},"digest":{"line_hashes":["91055314593907758271581520916453233680","69400580127759428293100331030847686907","256253163489559536001890817179531253844","137484809639274624976462202084884865646","233354996002248994450811375019147216323","258560203673605396740210605139344302807","54712246082298648203107621335577855907","307800904484997096095719776127038579942","159379588331433999658642045305663683912","211727524224697119923606680857150769270","299483806370551535968508365956098446113","184933021766032046548868111426018119394","132494938563420263558657496031317238214","130893228505174576518198507217545198033","36732628835641092091783593094588260647","302031127111674900801362298521290365369","325480683017264320592302757544935470973","310328171411664039637669939519276160911","289145486250788516172093096461273047190","247628585208552138283206163555744516226","275239051466826275838393063692162946911","116376548743812900160537143042703123333","164486772153034520323226745742441309616","231968355649365043963983912752363832370","28691374122779552764930573739778662067","313700992358019747518429419886219112495","6925097916025524535816698214533196704","138443932340902702553947339465643158830","123693749380266184400512628193717955217","201296950247145913443590097656513358759","240540075116756743683504300481548049571","219805016373895661448378403625159538458","261259081224229000059884329424767238589"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-ba670f3c","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_standard_record_store_test.cpp","function":"WiredTigerHarnessHelper"},"digest":{"function_hash":"143366803366694879392082889439580295691","length":150},"signature_version":"v1","id":"CVE-2019-2389-c600da6e","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/pipeline/document_source_check_resume_token.cpp"},"digest":{"line_hashes":["167518918914435676432805940120156966027","42577576105718594824592868041131127864","107829062590286512630322418334734066893","186644252817815549788452966273155634714","291439647942718436018620155882826246988","281090238329328453523002326089518094339","65631583751481164351762673206004578000","163486395883504952904815116704679049829"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-cc93de27","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/417d1a712e9f040d54beca8e4943edce218e9a8c"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_parameters.cpp","function":"applyMaxCacheOverflowSizeGBParameter"},"digest":{"function_hash":"138037723103739348523518582486217007310","length":841},"signature_version":"v1","id":"CVE-2019-2389-e84c3412","signature_type":"Function","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"},{"target":{"file":"src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp"},"digest":{"line_hashes":["310146580520897529091603236058383986180","26476647247392739107244283062333938336","217180637706954189957457456304674143214","279510519548242700659241329706964909462","253231997010576437043582193026841235754","296696087895443701251287168509298372741","304780267454053032676945273545924287518","211752499210942888831639801962537288876","259814991867545950990499811176724444412","63707461790820426546467420079989263614","39333271144929399137406733847507298179","283002936117167343425544759961897720372","242882990221318487199694784758875632881","85487768097559104067683138212628255793","200924419717922695762157848011487157106","221379262514070593589592254769107946975","78510497639385470143827694551492761088"],"threshold":0.9},"signature_version":"v1","id":"CVE-2019-2389-f0fcb07e","signature_type":"Line","deprecated":false,"source":"https://github.com/mongodb/mongo/commit/cbef87692475857c7ee6e764c8f5104b39c342a1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-2389.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H"}]}